The need for this article occurred in our minds when it was reported recently on 03.05.2017 that an employer was prosecuted under the Malaysian Personal Data Protection Act 2010 (“the Act”) for processing personal data/information of its former employee without a certificate of registration issued by the Personal Data Protection Commissioner. This is the first ever prosecution under the Act despite the fact that it came into operation since 15.11.2013. Such offence, if convicted, is punishable under the Act with a maximum fine of RM500,000 or up to three years in jail, or both.
(Read more at:
While pressing a criminal charge on grounds of lack of certification might sound harsh in this case, no one, from the employee’s point of view, would want their personal information to be held by an unauthorized employer, or worst still, being violated in a way that the data is or has been processed. This is why breaching the Act can give rise to serious consequences to an employer, especially when employees or ex-employees lodge a complaint. The purpose of this article is to set out the ”minimum” compliance exercise to be undertaken by employers to comply with the Act, while requesting or retaining the personal information of their employees, ex-employees, job applicants, probationers, consultants, agency workers, interns, and volunteers (collectively referred to as, “employee”).
‘Personal Data’ under Employment
It is typical for an employer to not only hold personal data/information of customers, but also of every employee during the course of his/her employment. Such information could range from basic information (for example: name, address and identity card number) to those of more sensitive nature (for example: work experiences, referee contacts, banking account details, medical and health records), referring to information from which the employee as ‘Data Subject’ can be identified.
It must then be made aware that the purpose of the Act is to regulate the processing of personal data of the ‘Data Subject’ by the ‘Data User’ during the course of its business. An employer, being a ‘Data User’ who collect, retain and/or use the employee’s personal data in the course of its business in particular to manage employment relationships, will therefore be subject to the Act in the interest of the employee as ‘Data Subject’. Hence, “active” measures need to be taken by the employer to comply with the Act and its regulations or risk facing prosecution in future. These are recommended compliance exercise to be undertaken by the employer:-
(A) obtain a certificate of registration; and
The Federal Government and the State are however, exempted from such compliance of the Act.
(A) Obtaining a certificate of registration
It is the law that a person belonging to the class of data users as specified in Personal Data Protection (Class of Data Users) Order 2013 (“2013 Order”) and Personal Data Protection (Class of Data Users) (Amendment) Order 2016 (“2016 Amendment Order”), both as subsidiary legislations made under the parent Act, to comply with the registration requirement under section 15 of the Act by obtaining a certificate of registration issued by the Personal Data Protection Commissioner; failing which shall be an offence and be liable to a fine not exceeding RM500,000 or imprisonment for a term not exceeding three (3) years, or both.
Therefore, should the employer belong to any class of data users as specified in the 2013 Order (contains of 11 classes) or the 2016 Amendment Order (contains of another 2 classes), the Personal Data Protection Department has an online portal made available for such registration to obtain a certificate of registration. The online portal may be accessed at https://daftar.pdp.gov.my/login.php.
In reference to aforesaid news, it is noted that the employer in question, being a private educational institution, belong to the 7th class of data users as specified in the 2013 Order, and thus shall be registered as data users under the Act albeit it had failed to do so.
- Employment Agreements
- Employee Handbook/Work Procedures
- Information and Communications Technology (ICT) Use Policy
Such requirement is stated in the general rules of Section 6-12 of the Act (also known as the 7 data protection principles) that need to be complied by all Data Users. Such general application, however, is subject to specific regulations made under:-
(B.1) the Personal Data Protection Standards 2015 issued by Personal Data Protection Commissioner; and
(B.2) the Personal Data Protection Code of Practice for employers in the Utilities Sector (Electricity), Insurance/Takaful Industry, Banking and Financial Sector, and Transportation Sector (Aviation) (with effective dates set out below).
Personal Data Protection Standards 2015
While we do not have the specific Personal Data Protection Code of Practice for Employment giving details guidance on how employees’ data should be treated, the Personal Data Protection Standards 2015, which was issued by Personal Data Protection Commissioner and came into force on 23 December 2015 (“the Standards“), set out some useful yet basic standards to be spelt out in employer’s written policy in its handling of personal data employees; falling below the Standards shall be an offence and shall, on conviction, be liable to a fine not exceeding RM250,000 or imprisonment for a term not exceeding two (2) years, or both.
Personal Data Protection Code of Practice
It must be noted that the Personal Data Protection Commissioner has recently registered the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) (with effect from 23 June 2016), the Personal Data Protection Code of Practice for the Insurance/Takaful Industry (with effect from 23 December 2016), the Personal Data Protection Code of Practice for the Banking and Financial Sector (with effect from 19 January 2017), and the Personal Data Protection Code of Practice for the Transportation Sector (Aviation) (with effect from 21 November 2017), which set out a clear and collective guidance which were made compulsory for the industries to follow in handling of personal data of customers and employees; likewise, failing to comply with the guides shall be an offence and shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding one (1) year, or both
While protection of personal data is vital for customers, it is equally important in respect of the employees.
Ideally, employers could appoint a Data Protection Officer/Manager who will be responsible for data protection compliance in the business as well as employment.
Last but not least, it is believed that a specific Code of Practice for Employment is still the most practical measure to ensure the best practices of data protection in employment.
Then, what is left to be done by the employer is probably providing training to create awareness amongst employee as well as tying up the development.
About the author:
This article was written by Chia Swee Yik, Partner of this Firm (+6016 2148 218, email@example.com), who provides advice on Malaysian Personal Data Protection Law, which includes the developing of privacy policies and procedures in place for the employer as well as training.